FTC Releases Data Breach Response Standards
New guidance released by the Federal Trade Commission (FTC), Data Breach Response: A Guide for Business, outlines basic considerations and procedures for businesses to engage when responding to a data breach.
The FTC data breach response guide offers these valuable tips for responding to a breach:
- Secure operations to prevent further loss, mobilize your breach response team, and consult with legal counsel
- Fix vulnerabilities to ensure a breach won’t happen again by consulting with a forensics team
- Activate your communications plan
- Notify appropriate parties including law enforcement, affected businesses, and consumers
- Ensure you are following all laws and regulations related to the breach
Prepare to be Breached
In the current threat landscape, the likelihood of a company experiencing a data breach is increasing. Businesses that experience data breaches face significant business interruptions such as losing access to critical files. Breached businesses are also subject to upholding regulations. They need to restore their systems, interact with law enforcement, and communicate with partners and customers. If there is no plan in place for responding to incidents, a business can lose time getting back up and running.
First and foremost: you need a plan. Downloading and following the FTC guidance will get you started with fundamentals but it is not a one-size-fits-all solution. Your team should spend time proactively building a data breach incident response plan that aligns with your business operations. Being breached should be considered a “when” not an “if” proposition.
Here are a some important steps your company can take to proactively handle a breach:
- Put together an incident response team. Your incident response team could include senior management, network administrators, network engineers, legal, security, public affairs, and human resources. There should be a point of contact for each step of the plan.
- Consider hiring a data breach coach. A data breach coach can help a business through all of the steps in creating a plan and bring coveted connections to this process, easing the planning and response for your company. Interviewing potential partners to work with your firm while responding to a breach is not ideal. These relationships should already be established and ready to be mobilized.
- Conduct data breach simulations and exercises. Once a plan is in place, it needs to be tested. The plan should be actively tested on a regular basis and include team leaders named in the plan and executive leadership. Team leaders need to know how to respond to each likely breach situation, and cyber exercises are a great way to play out different scenarios. If something doesn’t work, revise it. When a real breach happens, team leaders should understand their roles. Parts of the plan can be tested on its own but the full plan should be tested annually, at the least, and updated continuously.
- Businesses should engage a forensics company. Ideally, a relationship with a vendor should be in place before a breach. Once a breach occurs, businesses don’t have time to vet partners and build relationships. There should be a contract in place, your business should know how quickly a forensics team can be mobilized, and the vendor should have what they need to begin working for you.
- Legal counsel should be consulted. If you don’t have in-house counsel with breach expertise, your company should have a retainer with a legal entity (attorney, firm). Legal counsel with data breach experience will help determine applicable reporting requirements and laws. Additionally, counsel can ensure that attorney-client privilege protects sensitive information and that appropriate protections are included in statements of work with partners in breach response.
- Contact your insurance company. Do you have data breach insurance? Do you know what your policy covers and who your contacts are? Your insurance contact and policy information should be clearly featured in a data breach response plan along with other relevant contacts. That information should be updated consistently in the response plan.
- Inform your board, partners, customers, and the public. Determine your interested parties and what you are required to tell them. If consumer information was stolen, you may need to contact the state attorney general, law enforcement agencies, credit monitoring agencies, and even the media. Moreover, you may want to cover fraud monitoring for your customers. Depending on your company and the size of the breach, the communications process can take years. Take advantage of the FTC data breach response guidance. It includes a model letter to send to the public including contact numbers for credit bureaus. Be cautious in this step. Law enforcement agencies may want you to hold off with communications but regulations may require more timely action.
In the unfortunate event that you must activate your plan, in the aftermath it is tempting to solely focus to your core business to rebuild. But you must also document lessons learned and re-evaluate your plan. What worked? What didn’t? What would you do differently? Why? You need to get all stakeholders together and find out what parts of the plan work and decide what to change. Put your changes in place, document your revised plan, and test it again.
Delta Risk can help you determine the effectiveness of your current data breach strategy through our risk assessments, technical training and exercises, and penetration tests. Learn more about our incident response services.